Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: upgrade express to v4.21.1 to quiet automated scans #7952

Merged
merged 1 commit into from
Oct 29, 2024

Conversation

glasser
Copy link
Member

@glasser glasser commented Oct 29, 2024

@apollo/server depends on express which depends on cookie. Versions of express older than v4.21.1 depend on a version of cookie vulnerable to CVE-2024-47764. Users of older express versions who call res.cookie() or res.clearCookie() may be vulnerable to this issue.

However, Apollo Server does not call this function directly, and it does not expose any object to user code that allows TypeScript users to call this function without an unsafe cast.

The only way that this direct dependency can cause a vulnerability for users of Apollo Server is if you call startStandaloneServer with a context function that calls Express-specific methods such as res.cookie() or res.clearCookies() on the response object, which is a violation of the TypeScript types provided by startStandaloneServer (which only promise that the response object is a core Node.js http.ServerResponse rather than the Express-specific subclass). So this vulnerability can only affect Apollo Server users who use unsafe JavaScript or unsafe as typecasts in TypeScript.

However, this upgrade will at least prevent vulnerability scanners from alerting you to this dependency, and we encourage all Express users to upgrade their project's own express dependency to v4.21.1 or newer.

Fixes #7936.

`@apollo/server` depends on `express` which depends on `cookie`.
Versions of `express` older than v4.21.1 depend on a version of `cookie`
vulnerable to CVE-2024-47764. Users of older `express` versions who call
`res.cookie()` or `res.clearCookie()` may be vulnerable to this issue.

However, Apollo Server does not call this function directly, and it does
not expose any object to user code that allows TypeScript users to call
this function without an unsafe cast.

The only way that this direct dependency can cause a vulnerability for
users of Apollo Server is if you call `startStandaloneServer` with a
context function that calls Express-specific methods such as
`res.cookie()` or `res.clearCookies()` on the response object, which is
a violation of the TypeScript types provided by `startStandaloneServer`
(which only promise that the response object is a core Node.js
`http.ServerResponse` rather than the Express-specific subclass). So
this vulnerability can only affect Apollo Server users who use unsafe
JavaScript or unsafe `as` typecasts in TypeScript.

However, this upgrade will at least prevent vulnerability scanners from
alerting you to this dependency, and we encourage all Express users to
upgrade their project's own `express` dependency to v4.21.1 or newer.

Fixes #7936.
@svc-apollo-docs
Copy link
Collaborator

svc-apollo-docs commented Oct 29, 2024

✅ Docs Preview Ready

No new or changed pages found.

Copy link

netlify bot commented Oct 29, 2024

Deploy Preview for apollo-server-docs canceled.

Name Link
🔨 Latest commit 0f91124
🔍 Latest deploy log https://app.netlify.com/sites/apollo-server-docs/deploys/672127a13118520008401ba7

Copy link

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

@glasser glasser merged commit bb81b2c into main Oct 29, 2024
24 checks passed
@glasser glasser deleted the glasser/upgrade-express branch October 29, 2024 18:27
@github-actions github-actions bot mentioned this pull request Oct 29, 2024
glasser pushed a commit that referenced this pull request Oct 29, 2024
This PR was opened by the [Changesets
release](https://github.com/changesets/action) GitHub action. When
you're ready to do a release, you can merge this and the packages will
be published to npm automatically. If you're not ready to do a release
yet, that's fine, whenever you add more changesets to main, this PR will
be updated.


# Releases
## @apollo/server-integration-testsuite@4.11.1

### Patch Changes

- [#7952](#7952)
[`bb81b2c`](bb81b2c)
Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so
that automated scans don't detect a vulnerability.

`@apollo/server` depends on `express` which depends on `cookie`.
Versions of `express` older than v4.21.1 depend on a version of `cookie`
vulnerable to CVE-2024-47764. Users of older `express` versions who call
`res.cookie()` or `res.clearCookie()` may be vulnerable to this issue.

However, Apollo Server does not call this function directly, and it does
not expose any object to user code that allows TypeScript users to call
this function without an unsafe cast.

The only way that this direct dependency can cause a vulnerability for
users of Apollo Server is if you call `startStandaloneServer` with a
context function that calls Express-specific methods such as
`res.cookie()` or `res.clearCookies()` on the response object, which is
a violation of the TypeScript types provided by `startStandaloneServer`
(which only promise that the response object is a core Node.js
`http.ServerResponse` rather than the Express-specific subclass). So
this vulnerability can only affect Apollo Server users who use unsafe
JavaScript or unsafe `as` typecasts in TypeScript.

However, this upgrade will at least prevent vulnerability scanners from
alerting you to this dependency, and we encourage all Express users to
upgrade their project's own `express` dependency to v4.21.1 or newer.

- Updated dependencies
\[[`bb81b2c`](bb81b2c)]:
    -   @apollo/server@4.11.1

## @apollo/server@4.11.1

### Patch Changes

- [#7952](#7952)
[`bb81b2c`](bb81b2c)
Thanks [@glasser](https://github.com/glasser)! - Upgrade dependencies so
that automated scans don't detect a vulnerability.

`@apollo/server` depends on `express` which depends on `cookie`.
Versions of `express` older than v4.21.1 depend on a version of `cookie`
vulnerable to CVE-2024-47764. Users of older `express` versions who call
`res.cookie()` or `res.clearCookie()` may be vulnerable to this issue.

However, Apollo Server does not call this function directly, and it does
not expose any object to user code that allows TypeScript users to call
this function without an unsafe cast.

The only way that this direct dependency can cause a vulnerability for
users of Apollo Server is if you call `startStandaloneServer` with a
context function that calls Express-specific methods such as
`res.cookie()` or `res.clearCookies()` on the response object, which is
a violation of the TypeScript types provided by `startStandaloneServer`
(which only promise that the response object is a core Node.js
`http.ServerResponse` rather than the Express-specific subclass). So
this vulnerability can only affect Apollo Server users who use unsafe
JavaScript or unsafe `as` typecasts in TypeScript.

However, this upgrade will at least prevent vulnerability scanners from
alerting you to this dependency, and we encourage all Express users to
upgrade their project's own `express` dependency to v4.21.1 or newer.

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 29, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

apollo-server-express dependency on cookie <7.0 (CVE-2024-47764)
2 participants